[RESTRICT AUTOMERGE] Added missing permission check to isPackageDeviceAdminOnAnyUser.

Added a check for the MANAGE_USERS permission to
PackageManagerService#isPackageDeviceAdminOnAnyUser.

Test: Modify the settings app to log the call attempt and follow the
steps below

In order to work around the limitations of N builds we needed to modify
the settings app to log the call attempt. This is described in detail at
b/128599183#comment15

Bug: 128599183
Change-Id: Ie96c8e174983f61574f12d5d4b210d06377054e5
(cherry picked from commit 7b5a576965696747041c93306a41ed656404ed20)

diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index 7095a76..cee56c3 100644 (file)
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -15789,6 +15789,13 @@ public class PackageManagerService extends IPackageManager.Stub {
 
     @Override
     public boolean isPackageDeviceAdminOnAnyUser(String packageName) {
+        final int callingUid = Binder.getCallingUid();
+        if (checkUidPermission(android.Manifest.permission.MANAGE_USERS, callingUid)
+                != PERMISSION_GRANTED) {
+            EventLog.writeEvent(0x534e4554, "128599183", -1, "");
+            throw new SecurityException(android.Manifest.permission.MANAGE_USERS
+                    + " permission is required to call this API");
+        }
         return isPackageDeviceAdmin(packageName, UserHandle.USER_ALL);
     }